All, I have setup the ldapserver with PAM PassThrough and need help in figuring out the access.conf without use of netgroups. Can I simply use the groups with access.conf? I am only able to ssh as root, but not with any ldap account. I was able to ssh before making changes for the pam_access. Here are the files I edited. /etc/ldap.conf pam_member_attribute uniquemember (since 389-ds uses uniquemember for group membership) uri ldap://ldap.domain.com:389/ tls_checkpeer yes ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5 tls_cacertfile /etc/pki/tls/certs/ca-cert.crt /etc/security/access.conf + : root : ALL + : @groupname : ALL + : @groupname2 : ALL - : ALL : ALL authconfig --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ldap.domain.com --ldapbasedn=dc=ldapdomain,dc=com --enableldaptls --disablekrb5 --krb5kdc=AD.ADdomain.com --krb5adminserver=AD.ADdomain.com --krb5realm=ADDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess --enablemkhomedir --enablelocauthorize ?updateall /etc/pam.d/system-auth : account required pam_access.so accessfile=/etc/security/access.conf : Here?s the error message I got. I see that krb5 is succeeding my password but pam_access is blocking me. pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.12.0.95 user=psundaram Nov 18 11:01:44 wgldap01 sshd[8995]: pam_krb5[8995]: authentication succeeds for 'psundaram' (psundaram at ADDOMAIN.COM) Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied for user `psundaram' from `10.12.0.95' Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied for user `psundaram' from `10.12.0.95' Nov 18 11:01:45 wgldap01 sshd[8996]: fatal: Access denied for user psundaram by PAM account configuration Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20091118/98355226/attachment.html
